For privacy reasons, we provide three DNS-Over-TLS resolvers. These are only accessible over
port 853. We have no plans to provide DNS over
port 53 (plaintext) or
port 443 (https).
server: tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt rrset-roundrobin: yes forward-zone: name: ".", forward-tls-upstream: yes forward-addr: 18.104.22.168@853#dns1.nuked.me forward-addr: 22.214.171.124@853#dns2.nuked.me forward-addr: 126.96.36.199@853#dns3.nuked.me
dnssec_return_status: GETDNS_EXTENSION_TRUE resolution_type: GETDNS_RESOLUTION_STUB dns_transport_list: - GETDNS_TRANSPORT_TLS tls_authentication: GETDNS_AUTHENTICATION_REQUIRED tls_query_padding_blocksize: 256 edns_client_subnet_private : 1 idle_timeout: 10000 listen_addresses: - 127.0.0.1 - 0::1 round_robin_upstreams: 1 upstream_recursive_servers: - address_data: 188.8.131.52 tls_port: 853 tls_auth_name: "dns1.nuked.me" - address_data: 184.108.40.206 tls_port: 853 tls_auth_name: "dns2.nuked.me" - address_data: 220.127.116.11 tls_port: 853 tls_auth_name: "dns3.nuked.me"
Depending on how you handle DNS currently, you may need to make other changes.
If you use a static
/etc/resolv.conf then you just need to edit the nameserver to point locally, then Unbound handles the rest.
If you use
systemd-resolved, you'll need to do the following:
Uncomment and edit the first line to this:
sudo service systemd-resolved restart
To check it's set correctly, run
resolvectl dns and that's it!
Regarding Windows, further information at privacytools.io.